March 13th, 2025

Microsoft 365 Certification control spotlight: Data in transit

Data in transit refers to data actively moving from one location to another, such as across the internet or through a private network. Protecting data in transit is crucial to prevent interception or unauthorized disclosure of information.

The Microsoft 365 Certification ensures ISVs use the latest threat prevention and data security standards in the development and deployment of their applications. Certification auditors will verify the following safeguards are in place:

Encryption: All data in transit must be encrypted using TLS 1.2 (Transport Layer Security) or other approved cryptographic protocols. This includes all network traffic, even within virtual networks, cloud services, or datacenters.

TLS Configuration: Use an approved TLS 1.2 configuration to protect data in transit. The M365 TLS Configuration Standard is the authoritative source for TLS configuration requirements.

These controls ensure that data stays secure while being transmitted, reducing the risk of unauthorized access or data breaches.

Certification verifies TLS encryption protocols

To pass the data in transit controls, ISVs must provide evidence that their app’s TLS configuration meets or exceeds the TLS profile configuration requirements. This includes ensuring that TLS compression is disabled across all public-facing services that handle web requests. They need to show that their TLS setup is robust and adheres to the approved standards. This can be demonstrated with an SSL Server Test result.

ISVs can validate that TLS HSTS (HTTP Strict Transport Security) is enabled and configured to 180-days across all sites by following these steps:

Qualys SSL Server Test: Qualys is a tool that can check both the TLS compression status and whether TLS HSTS is enabled and configured correctly. This free online tool provides a comprehensive assessment of any SSL web server on the public internet.

HTTP Header Spy and Securityheaders.com: These tools can be used to verify the HSTS header. They check the response headers of the public-facing services to ensure that the HSTS header is present and configured for at least 180 days

Azure Front Door Configuration Screenshots: For services hosted by Azure, ISVs can use configuration settings screenshots from Azure Front Door to demonstrate that HSTS is enabled and configured correctly. This involves capturing screenshots that show the HSTS settings in the Azure portal

ACAT: The App Compliance Automation Tool in Azure can ping the ISV’s public-facing service’s hostname to verify whether the HSTS header is enabled and configured for 180 days. This involves inputting the host address into the service, which then performs daily checks and provides a report. ACAT can also be used to expedite other controls for certification and continuously monitor an application’s compliance.

By using these methods, ISVs can ensure that their services comply with the required security standards for TLS HSTS, providing assurance that their data in transit is protected against attacks.

Next steps

To learn more on how Microsoft 365 Certification validates data in transit controls are in place for your application, visit the sample evidence guide.

To start certification, go to the Microsoft Partner Center dashboard, select an app from Marketplace offers overview, and select App Compliance.

Author

0 comments